The Security Power of the Ballot Box

(1)

The Security Power of the Ballot Box

Matt Lepinski and Silvio Micali February 2, 2005

Abstract

We show that any function f can be securely evaluated by a protocol with ballots and a ballot box. That is, n mutually suspicious players, each playeripossessing a secret inputxi, can use ballots and ballot boxes to jointly evaluate f(x1, . . . , xn) = (y1, . . . , yn), so that (no matter how many players may collude and deviate from their prescribed instructions, and no matter how long they compute!) each player ilearns exactly yi with the same privacy and correctness as if all players privately handed their secret inputs to a trusted party, who privately evaluatesf and privately returnsyi to each playeri.

Our protocol is (1) efficient, (2) enjoys perfect privacy, (3) guarantees perfect correctness, (4) is universally composable in the sense of [DoMi00] and [Can01], and (5) is always collusion-free in the sense of [LMS05], even for games with secret actions.

1 Main Theorem

For any functionf, mappingnprivate inputs to a single public output, there exists an nparty protocol for a ballot-box network with public opening that securely evaluatesf.

We now procedure to define (1) a ballot-box network, (2) a ballot-box network with public opening and (3) the notion of securely evaluating a function. In a subsequent version of this work, we will provide a proof of our main theorem, generalize our results to functions with n inputs and n outputs and explore applications to economic mechanisms.

(2)

2 Communication Models

2.1 Ballot-Box Networks Intuition

We envisage a group of players, seating far apart around a large table, communicating in two ways. The first way is via broadcasting: a player stands up and loudly utters a given message. The second way is via identical, opaque envelopes(andsuper-envelopes) and aballot box.

Informally, a player can choose a message, write it on a piece of paper and seal it into a new, empty envelope. So long as it is not opened, the envelope totally hides and guarantees the integrity of its content. Only the owner of a sealed envelope can open it, either privately (in which case — though all other players are aware that he is opening it—- he will be the only one to read its content) or publicly (in which case all players will learn its content). A playerownsa sealed envelope if it is physically close to him. By definition, the player originally sealing a new envelope owns it. After that, ownership of an envelope can be transferred to another player by tossing it to him.

A player can also publicly put up to 4 of his envelopes into a new super- envelope E, in which case none of the resulting “sub-envelopes” can be opened beforeE. All super-envelopes are again opaque and identical among each other, but have a slightly larger size than (ordinary) envelopes. A super-envelopeE thus tightly packs its sub-envelopes, so that their relative order (counting —say— fromE’s front) does not change when E is moved about. The rules of ownership for super-envelopes are the same as for envelopes. There is, however, only one possible way for a player ito open a super-envelopeE of his: namely, all players become aware thatihas opened E, andE’s sub-envelopes become “exposed” again, and can thus be manip- ulated (e.g., opened or transferred) individually. Such sub-envelopes always guarantee the integrity and privacy of their contents.

Envelopes and super-envelopes always stay above the table and their transfers are always tracked by the players. The players can thus “mentally assign” to each envelope or super-envelope an identifier, j, insensitive to any possible change of ownership. The only exception is when a player i publicly puts some of his envelopes or super-envelopes into a ballot box:

when they are taken out, their contents will remain unchanged and private, but their identities are randomly permuted, in a way that is unpredictable to all players.

In essence, by putting on the table, opening, transferring and “ballot-

(3)

boxing” envelopes and super-envelopes, we obtain a communication system having a global memory different portions of which are observable by different players.

Formalization

We denote by A^L the Cartesian product of a set A with itself L times; by Σ the set of all finite binary strings; by#a special symbol not in Σ; by S_L the group of all permutations of L elements; by x := y the operation that assigns valueyto variablex; byrand(X) the function that selects a random element (uniformly and independently) from a finite setX.

Definition: An envelope is a triple (i, j, c), where i is a player, j a positive integer, and c a finite binary string. A super-envelope is a triple (i, j, c), where again i ∈ N and j ∈ N, but c ∈ Σ^L, L >

1, is a tuple of strings. A ballot is either an envelope or a super- envelope. If (i, j, c) is ballot, we refer to i as the ballot’s owner, to j as the ballot’s identifier, and to c as the ballot’s content. A set of ballots iswell-definedif, for eachj∈N, there exists at most one ballot with identifier j. By the expression “ballot j” we mean the unique ballot, if any, having identifierj. To emphasize that ballot j actually is an envelope (super-envelope) we may use the expression “envelope j” (“super-envelope j”).

Definition: Aballot-box network consists of a set of global variables, thenetwork memory, modifiable solely through a specific set of operations, thenetwork operations.

The variables of the network memory are: a well-defined set of ballots B; a public history H, readable by all players; and, for each playeri, aprivate history of i,h_i, readable only byi. (Variable H is a publicly observable transcript of all network operations so far; it consists of a list of items separated by#. Variableh_i is i’s private transcript of all network operations so far.)

The network operations (defined via the auxiliary variable max, the highest identifier of a ballot inB) are:

– player i broadcasts m: ifm∈Σ, thenH :=H# broadcast, i, m

(4)

– i makes a new envelope with public content c: if c ∈ Σ, then max := max+ 1; B := B+{(i, max, c)}; h_i := h_i# (i, max, c);

andH :=H# NewPublicEnvelope,(i, max, c).

– i makes a new envelope with private content c: if c ∈ Σ, then max:=max+ 1; B :=B+{(i, max, c)}; and

H:=H# NewPrivateEnvelope, i, max.

– i publicly opens envelope j: if (i, j, c) ∈B and c∈ Σ, then B :=

B− {(i, j, c)}and H :=H# open,(i, j, c).

– i privately opens envelope j: if (i, j, c) ∈ B and c ∈ Σ, then B:=B− {(i, j, c)};hi :=hi# (i, j, c); and H:=H# Open, i, j.

– i makes a new super-envelope from envelopesj1, . . . , jL:

if (i, j₁, c₁), . . . ,(i, j_L, c_L)∈B, thenB :=B−{(i, j₁, c₁), . . . ,(i, j_L, c_L)};

max:=max+ 1; B :=B+{(i, max,(c1, . . . , cL)};

H:=H# NewSuper, i, j1, . . . , jL.

– i opens super-envelope j: if (i, j,(c₁, . . . , c_L)) ∈ B, then B :=

B− {(i, j,(c1, . . . , cL))};B:=B+{(i, max+ 1, c1), . . . ,(i, max+ L, cL)};max:=max+L; andH :=H# OpenSuper, i, j.

– i transfers ballot j to k: if (i, j, c) ∈ B, then max := max+ 1;

B:=B− {(i, j, c)}+{((k, max, c)};H :=H# Transfer, i, j, k.

– i ballot-boxes j1, . . . , jL: if (i, j1, c1), . . . ,(i, jL, cL) ∈ B, then B := B − {(i, j₁, c₁), . . . ,(i, j_L, c_L)}; π := rand(S_L); B := B + {(i, max+1, c_π(1)), . . . ,(i, max+L, c_π(L))};max:=max+L;H:=

H# BallotBox, i, j1, . . . , jL.

– i reads and reseals envelope j: if (i, j, c) ∈ B and c ∈ Σ then h_i :=h_i# (i,j,c);H:=H# Reseal, i, j.

– i publicly permutes identifiersj1, . . . , jLbyπ: if (i, j1, c1), . . . ,(i, jL, cL)∈ B, thenB:=B− {(i, j₁, c1), . . . ,(i, j_L, c_L)};B:=B+{(i, max+

1, c_π(1)), . . . ,(i, max+L, c_π(L))};max:=max+L;

H:=H# PublicPermute, i, j1, . . . , jL, π.

– i aborts: H :=H# Abort, i.

Network operations are executed one at a time, and without any in- terruption. Immediately after an execution, all players actually read the modified variables available to them.

By the expression i makes a new envelope j with private (or public) content c we mean that i makes a new envelope and that the identifier

(5)

assigned to it actually is j. Similarly, by i makes a new super-envelope j from envelopes j₁, . . . , j_L with identifier j we mean that j actually is the identifier assigned to the new super-envelope made by i. Finally, we will use the expressions i opens super-envelope j to expose envelopes k1, . . . , kL

andiballot-boxesj₁, . . . , j_L to get ballotsk₁, . . . , k_Lto mean that identifiers k₁, . . . , k_L are the identifiers assigned to the ballots created by the opening or ballot-boxing operation.

Remarks

Notice thatBremains well-defined after each network operation. Also notice that, at any point, the highest identifier of a ballot inB is bounded by the total number of ballots created up to that point.¹

Our formalization of a ballot-box networks captures the salient features of “ownership” and “opening” of our intuitive model. No player can open a ballot he does not own. When a super-envelope is created from a set of envelopes, the latter are removed from the ballot set, and thus cannot be opened by anyone. Finally, when a super-envelope (i, j,(c1, . . . , cL)) is opened by i, new envelopes with owner iand respective contents c₁, . . . , c_L are created. This is consistent with our intuitive description, where ownership corresponds to physical proximity: if super-envelopejis close to player iand, due to this proximity, it is indeed opened by him, then the envelopes exposed by opening super-envelopej will also be close to i.

To simplify the description of our protocols, we provide a redundant set of network operations. For example, to broadcast m a player can create a new envelope with contents m and then publicly open it. As for another example, the read-and-reseal operation could be implemented —although in a convoluted way— using only other network operations.

Our formalization of super-envelopes, and ballot boxes is slightly more general than needed in this paper: our protocols do not require super- envelopes to contain at more than 4 sub-envelopes or ballot-boxes to ran- domize more than 5 ballots, nor the identification of the player causing an abort.

The abort operation merely alerts all players by placing a special symbol in the public history, but does not effect the future network operations of

1Therefore our way to ensure that no two ballots have the same identifier has no negative effect on the existence of “polynomial-time” protocols. (If, instead, each new ballot identifier were chosen to be twice as long as the previous one, a protocol usingk ballots would require exponentially many (ink) elementary operations —which certainly include the reading or writing of each identifier bit.)

(6)

“bad players.” This is again consistent with our intuitive model: for instance, a player leaving the table cannot stop other players from opening their own ballots or making new ones. (In our protocols, when the symbol Abort appears in the public history, a “good” player takes no further action. But “bad” players may continue to perform network operations on the current network memory. Thus our protocols are designed so that, if an abort occurs, bad players cannot gain undue information by opening their own ballots.)

2.2 Ballot-Box Networks with Simultaneous Public Opening We must augment our standard ballot-box network with on additional operation in order to securely evaluate a function with a single public output in such a way that either all players learn the output or else no one learns anything. The operation we add is that, if all players agree, then a specified set of envelopes will be publicly opened. We now describe this operation formally:

Definition: A ballot-box networks with simultaneous public opening is a ballot-box network augmented with the following operation.

– All open envelopesj₁, . . . , j_L: If (i₁, j₁, c₁), . . . ,(i_L, j_L, c_L) are envelopes in∈B, andHends in the string# broadcast, 1,(j₁, . . . , j_L)

#... # broadcast,n,(j1, . . . , jL), thenH :=H#(c1, . . . , cL).

We think of this operation as being performed with the aid of a weakly trusted party who collects the envelopes to be opened and then publicity reveals their contents. Notice that this party is not trusted with any secrets, he is only trusted to open a set of envelopes and real their contents.

3 The Notion of Securely Computing Common- Output Functions

In this section we wish to define what it means for n players to compute securely a function f from n private inputs to a single, public output (in any of our envisaged communication networks).

(7)

3.1 Intuition

Informally, a protocol specifies the strategies, P1, . . . , Pn, for good players to use for communicating in the underlying network. If each player i started with private input x_i and all players are good —-i.e., follow their own strategies— (P1(x1), . . . , Pn(xn)) specifies an execution of a protocol.

Difficulty of Secure Evaluation without Bad Players. No- tice, however, that designing a protocolP for securely evaluating a function y=f(x1, . . . , xn) is hard, even if all players stick to communicating accord- ing to their prescribed strategies. In fact “forget what you have seen after termination except the result” is not a reasonable instruction —certainly it does not an operation of our communication models! Consequently, players who send messages as told, can easily evaluate f correctly, but can they as easily guarantee the desired privacy? For instance, assume that eachx_i represents the price that player i is willing to pay for a given item, and the player wish to implement a second-price auction —i.e., that f is the function returning the second highest price and the identity of the highest bidder. Then it is trivial to find strategiesP1, . . . , Pn, so thatf is correctly evaluated, but much harder to ensure that the players, seeing their own tran- scripts of the communication cannot deduce more that the auction desired outcome!

Secure Evaluation with One Bad Player. This task become more daunting if some players will deviate from their prescribed strategies. Tra- ditionally, Game Theory focuses on single-player deviations. For instance, a single player,i, may repudiatePi and use instead a deviating strategyP_i⁰. In this case, our task becomes that of designing ann-tuple of strategies,P, such that, for any possible playeri and strategy P_i⁰, (P_i⁰, P−i) continues to be a correct and private evaluation off.

The Problem of Bad Inputs. Assume now that there is only one bad player, but what is his input? For a good player, i, his input is x_i. A bad playerj, however, might ignore his input in which case we have no hope of computing a function of this input. On the other hand, we cannot say that a bad playerj has no input or has an input which is pinned down after the protocol is complete. If a bad player is not required to commit to some input early in the protocol then he might be able to produce unacceptable outcomes. For example, in an auction, a bad player might get the auction to always output ”playerj wins and pays price maxi6=j(xi). This is, of course, a valid output of the function if j had bid maxi6=j(xi) + 1 but surely it is unacceptable to always produce this outcome when playerjshould not know the value maxi6=j(xi).

(8)

3.2 Formalization

Protocols and Adversaries. In all our protocols players are deterministic (the only source of randomness comes from their use of the ballot box).

Therefore we slightly simplify our definition of a protocol so as to envisage deterministic strategies for the good players.

We envisage that one player at a time is active in taking an action: for instance, the order of activity could be 1, . . . , n,1, . . . If player 1 should act based on the action of player 2, however, this order of activity is inefficient, since all other players would need to take the “empty action” to enable the desired dependency. For efficiency sake, we thus let a protocol specify the exact sequence of players who will be active in its executions. If a protocol envisagesk operations, it will specify the sequence of k players performing them.

An adversary is an algorithm that corrupts and controls some of the players. We explicitly specify the adversary be probabilistic, and thus, to guarantee a complete description of an execution, we let the adversary algorithm produce the coin tosses it uses in its computations.

Definition: Ann-player,k-operationprotocolP consists of ann-tuple of strategies, and a k-long sequence of players. We let Pi denote ith strategy of P, and PS the sequence of players of P. On any input, P_i produces either (1) a network operationop_i for player i, or (2) the special symbolhalt and anoutput outi ∈Σ∪ {abort}.

AnadversaryA is a probabilistic strategy that, on any input X, produces (1) a valuev and the sequence of coin tossesR used to compute v fromX.

Executing Protocols and Adversaries. When a protocol is executed with an adversary, all players begin with private input — the values on which they want to compute a function — and auxiliary inputs – which represents any additional information a player may have from previous protocols. “Good” players following the protocol strategy ignore their auxiliary input, but when the adversary corrupts a good player it learns the player’s auxiliary input and may make use of that information. During an execution, an adversary viewh_Ais maintained which contains all information available to the adversary. In an execution, the adversary gets a chance to corrupt players, then the first player in the protocol’s player sequence performs an operation, the adversary gets another chance to corrupt players and the protocol continues with the next player in the player sequence selecting an

(9)

operation. This continues until the player sequence is reached and all players have halted.

Definition: An execution ofP with inputs (x₁, . . . , x_n) and auxiliary inputs (a1, . . . , an) and A with auxiliary inputα and set of corrupted players C ⊂ N is generated by processing —one at a time— every element inPS, starting with an empty network memory and an initial adversary historyhA= (α, C, xC).

Processing an element ofPSconsisting of (an occurrence of) playeriis done in two phases. In the first,Acorrupts as many additional players as he desires. In the second, playeriselects the network operation to be executed. That is, iis processed by executing the following three steps:

Step 1: The adversary history is updated so as to include the right portions of the network memory: h_A := h_A # h_c, H. Then A is run on the updated hA to produce a valuev with corresponding coins R, and the adversary history is further updated so as to include the coins just used: h_A := h_A#R. As long as v is the identity of a player j, then i is added to the set of corrupted players,C:=C∪ {j},i’s private and auxiliary inputs and private history are given to the adversary,h_A:=h_A# (a_j, x_j, h_j), andA is run again on the updatedhA.

Step 2: If i ∈ C, then A is run on h_A to produce a value v with corresponding coinsR, and the adversary history is updated so as to include these coins: h_A:=h_A# R. Ifv is a network operation forithen the operation is immediately performed so as to update the network memory.

Step 3: If i 6∈ C, unless Pi has previously output halt, Pi is run on input (xi, hi, H) and (1) if Pi produces a network operation opi, thenop_i is immediately executed so as to modify the current network memory, otherwise (2) ifP_i produceshalt then the current public history and the private history of i are appended to ai: a_i:=a_i#H, h_i.

After all elements of PS have been processed, Step 1 is executed one more time (to give the adversary an opportunity to corrupt additional players and gain additional information).

Execution Notation. In an execution of a protocol P, we say that

(10)

player i halts when Pi outputs halt, and that the protocol halts when all players halt.

We say that an execution of P has aborted (by operation m) if a good player outputs abort (before the processing of the mth element of PS has ended).

Ife is an execution ofP and A, then

• h_A(e) shall denote thefinal history ofA: the value of h_Aafter the final execution of Step 1;

• h^m_A(e) shall denote the value of h_A when operation m+ 1 is about to be executed;²

• C(e) shall denote thefinal corrupted set: C’s value after the final execution of Step 1.

• C^m(e) shall denote the set of corrupted players when operationm+ 1 is about to be executed;

• H(e) shall denote thefinal public history in e; and

• h^m_i (e) shall denote the private history of player iin eafter processing themth element ofPS;

• hi(e) shall denote thefinal private history of player iine: i.e., hi(e) = h^k_i(e).

Effective Inputs and Outputs. The effective inputs of the players are the values upon which the function is actually computed and depends on the network operations executed before some roundm. The effective input function determines a player’s effective input based on his private history.

We require that good players have effective inputs equal to their private inputx_i but a corrupted player might select a different value as his effective input. An effective output is the public output actually computed by the protocol. The effective output function determines the effective output based on the final public history.

Definition: LetP be ak-operation,n-party protocol,IN= (IN1, . . . ,INn) an n-tuple of functions. We say that IN is aneffective input function forP if there exists a natural numberm < ksuch that, in any execu- tioneof P with an adversaryA

• Ifehas aborted by themth operation, thenIN_i(h_i(e)) =IN_i(h^m_i (e)) =

⊥for all players i;

• Else,x_i=IN_i(h_i(e) =IN_i(h^m_i (e)) for all good playersi.

2I.e., the value ofhA at the end of Step 1 of the processing of elementm+ 1 ofPS

(11)

We say thatOU T is aneffective output function forP if, in any exe- cutioneofP with an adversaryAthat has aborted,OU T(H(e)) =⊥.

Secure Protocols. A protocol securely evaluates a function if no matter what a malicious adversary does (1) he cannot prevent the function from being correctly computed unless he aborts the protocol; (2) prior to the final public opening, he has absolutely no information about the honest player inputs except what can be derived from the corrupted player inputs and auxiliary inputs; and (3) even after the the final public opening, the only information he has about honest player inputs is what can be derived from the corrupted player inputs and the public output.

Definition: We say that a protocol P in a ballot-box network with simultaneous public openingsecurely evaluatesa functionf if there exists an effective input functionINand an efficiently computableoutput functionOU T such that for any adversaryA corrupting at mostn−1 players and for any distributionDover tuples (x₁, . . . , x_n, a₁, . . . , a_n, α), in a random execution e of P and A with inputs drawn from D the following three properties hold:

• Ifehas not aborted thenf(IN₁(h₁(e)), . . . ,IN_n(h_n(e))) =OU T(H(e));

• I(x_−C^k−1_(e);h^k−1_A (e)| hx_C^k−1_(e), a_C^k−1_(e), αi) = 0;

• I(x_−C(e);h_A(e)| hx_C, a_C(e), α, OU T(H(e))i) = 0.

Remarks

Above we state our definition in terms of mutual information. However, we could equivalently state our definition in terms of conditional entropy as follows:

H(x_−C^k−1_(e)| hx_C^k−1_(e), a_C^k−1_(e), αi) = H(x_−C^k−1_(e)| hh^k−1_A (e), x_C^k−1_(e), a_C^k−1_(e), αi) H(x_−C(e)| hx_C(e), a_C(e), α, OU T(H(e))i) = H(x_−C(e)| hhA(e), x_C(e), a_C(e), α, OU T(H(e))i)

(12)

References

[Can01] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Proc. 42nd FOCS, 2001.

[DoMi00] Yevgeniy Dodis and Silvio Micali. Parallel Reducibility for Information-Theoretically Secure Computation. InProc. of Crypto 2000, 2000.

[LMS05] Matt Lepinski, Silvio Micali and Abhi Shelat. Collusion-Free Pro- tocols. In Proc. 37th STOC, 2005.